mysql-test/r/lowercase_fs_off.result · mysql-5.6.12 · Rasoul Jahanshahi / Mysql Server

Jan 30, 2012

BUG#12602983 - USER WITHOUT PRIVILEGE ON ROUTINE CAN DISCOVER ITS EXISTENCE · 58c5139e

Praveenkumar Hulakund authored Jan 30, 2012

                 (TAKE #2)
  
  Description:
  ------------------------------------------------
  User which doesn't have any privileges on the routine or on mysql.proc table 
  still is able to discover its existence. This is wrong as one should not know 
  anything about a database object unless one has privileges on it.
  
  Analysis:
  ------------------------------------------------
  The problem was, user without any privileges on routine was able to find
  out whether it existed or not. "select <func_name>" and "call <proc_name>" 
  were checking for the existence of the <func_name> or <proc_name>" before 
  checking whether user has enough privileges to execute function or not. 
  Error "<func_name> doesn't exists" or "<proc_name> doesn't exists" was 
  reported.
  
  For CREATE, ALTER, DROP we are already providing proper error
      DROP:
      ---------
      mysql> drop function mysqltest.f1;
      ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
                          routine 'mysqltest.f1'
      mysql> drop procedure  mysqltest.f1;
      ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
                          routine 'mysqltest.f1'
      
      CREATE:
      ----------
      mysql> create function mysqltest.f1() returns int return 0; 
      ERROR 1044 (42000): Access denied for user ''@'localhost' to database 
                          'mysqltest'
      mysql> create procedure mysqltest.p1() begin end; 
      ERROR 1044 (42000): Access denied for user ''@'localhost' to database 
                          'mysqltest'
      
      ALTER:
      ---------
      mysql> alter function mysqltest.f1 comment "TESTING";
      ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
                          routine 'mysqltest.f1'
      mysql> alter procedure  mysqltest.f1 comment "TESTING";
      ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for 
                          routine 'mysqltest.f1'
  
  For "SELECT <function_name>" and "CALL <procedure_name>" we were 
  providing "doesn't exists" error.  Also when non existing function is used while
  creating the views we see same issue.
  
  Fix:
  ------------------------------------------------
  SELECT and CALL didn't have the logic to check execute privilege on routine for
  the user. This patch solves problem by checking the privileges to user before 
  checking the existence of the function.

58c5139e

BUG#12602983 - USER WITHOUT PRIVILEGE ON ROUTINE CAN DISCOVER ITS EXISTENCE

Praveenkumar Hulakund authored Jan 30, 2012

                 (TAKE #2)
  
  Description:
  ------------------------------------------------
  User which doesn't have any privileges on the routine or on mysql.proc table 
  still is able to discover its existence. This is wrong as one should not know 
  anything about a database object unless one has privileges on it.
  
  Analysis:
  ------------------------------------------------
  The problem was, user without any privileges on routine was able to find
  out whether it existed or not. "select <func_name>" and "call <proc_name>" 
  were checking for the existence of the <func_name> or <proc_name>" before 
  checking whether user has enough privileges to execute function or not. 
  Error "<func_name> doesn't exists" or "<proc_name> doesn't exists" was 
  reported.
  
  For CREATE, ALTER, DROP we are already providing proper error
      DROP:
      ---------
      mysql> drop function mysqltest.f1;
      ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
                          routine 'mysqltest.f1'
      mysql> drop procedure  mysqltest.f1;
      ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
                          routine 'mysqltest.f1'
      
      CREATE:
      ----------
      mysql> create function mysqltest.f1() returns int return 0; 
      ERROR 1044 (42000): Access denied for user ''@'localhost' to database 
                          'mysqltest'
      mysql> create procedure mysqltest.p1() begin end; 
      ERROR 1044 (42000): Access denied for user ''@'localhost' to database 
                          'mysqltest'
      
      ALTER:
      ---------
      mysql> alter function mysqltest.f1 comment "TESTING";
      ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
                          routine 'mysqltest.f1'
      mysql> alter procedure  mysqltest.f1 comment "TESTING";
      ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for 
                          routine 'mysqltest.f1'
  
  For "SELECT <function_name>" and "CALL <procedure_name>" we were 
  providing "doesn't exists" error.  Also when non existing function is used while
  creating the views we see same issue.
  
  Fix:
  ------------------------------------------------
  SELECT and CALL didn't have the logic to check execute privilege on routine for
  the user. This patch solves problem by checking the privileges to user before 
  checking the existence of the function.